System with a plurality of lower tiers of information coupled to a top tier of information

ABSTRACT

An event clustering system includes a processor. An extraction engine is in communication with an infrastructure. The extraction engine receives data from the infrastructure. A signalizer engine includes one or more of an NMF engine, a k-means clustering engine and a topology proximity engine. The signalizer engine determines one or more common steps from events and produces clusters relating to the alerts and or events. In response to production of the clusters one or more physical changes are made in a managed infrastructure hardware. Multi-systems interact with each other.

CROSS-REFERENCE TO RELATED APPLICATIONS

This application claims the priority benefit of all of the following: AContinuation-In-Part of patent application Ser. No. 16/236,551 filed onDec. 30, 2018, which is a Continuation-In-Part of patent applicationSer. No. 16/140,508, filed on Sep. 24, 2018, which claims the prioritybenefit of U.S. Provisional Patent Application 62/720,207, filed on Aug.21, 2018. This application is also a Continuation-In-Part of patentapplication Ser. No. 16/043,168, filed on Jul. 24, 2018, which claimsthe priority benefit of U.S. Provisional Patent Application 62/612,438,filed on Dec. 30, 2017, U.S. Provisional Patent Application 62/612,435,filed on Dec. 30, 2017, U.S. Provisional Patent Application 62/612,437,filed on Dec. 30, 2017, which is a Continuation-In-Part of patentapplication Ser. No. 16/041,851, filed on Jul. 23, 2018, which is aContinuation-In-Part of patent application Ser. No. 16/041,792, filed onJul. 22, 2018, which is a Continuation-In-Part of patent applicationSer. No. 15/811,688, filed on Nov. 14, 2017, which is aContinuation-In-Part of patent application Ser. No. 15/810,297, filed onNovember 13, which is a Continuation-In-Part of patent application Ser.No. 15/596,648, filed on May 16, 2017, which is a Continuation-In-Partof patent application Ser. No. 15/592,689, filed on May 11, 2017, whichis a Continuation-In-Part of patent application Ser. No. 14/606,946,filed on Jan. 27, 2017, which claims the priority benefit of U.S.Provisional Patent Application 62/538,941, filed on Jul. 31, 2017, U.S.Provisional Patent Application 62/451,321 filed on Jan. 27, 2017, U.S.Provisional Patent Application 62/446,088 filed on Jan. 13, 2017.

BACKGROUND Field of the Invention

This invention relates generally to event/message processing for amanaged infrastructure, and more particularly to systems, and moreparticularly to system with a plurality of lower tier levels eachcoupled to a top tier level, where a user of the top tier level can acton a lower tier level, but a user of a lower tier level can-not goacross other lower tier levels to make alterations.

Description of the Related Art

The World Wide Web is increasingly becoming a more important and morefrequently used form of communication between people. The primary formof web-based communication is electronic mail. Other forms ofcommunication are also used, however, such as news groups, discussiongroups, bulletin boards, voice-over IP, and so on. Because of the vastamount of information that is available on the web, it can be difficultfor a person to locate information that may be of interest. For example,a person who receives hundreds of electronic mail messages/events frominfrastructure a day may find it impractical to take the time to storethe messages/events from infrastructure in folders of the appropriatetopic. As a result, it may be difficult for the person to later find andretrieve all messages/events from infrastructure related to the sametopic. A similar situation arises when a person tries to locate newsgroups or discussion groups of interest. Because there may be noeffective indexing of these groups, it can be difficult for the personto find groups related to the topic of interest.

Some attempts have been made to help the retrieval of information ofinterest by creating web directories that provide a hierarchicalorganization of web-based information. The process of creating thedirectories and deciding into which directory a particular piece ofinformation (e.g., a news group) should go is typically not automated.Without an automated approach it is impractical to handle the massiveamounts of web-based information that are being generated on a dailybasis. Moreover, because a person may not be fully aware of the entireweb directory hierarchy or may not fully understand the semantics ofinformation, the person may place the information in a directory that isnot the most appropriate, making later retrieval difficult. It would bedesirable to have an automated technique that would help organize suchinformation.

The advent of global communications networks such as the Internet hasprovided alternative forms of communicating worldwide. Additionally, ithas increased the speed at which communications can be sent andreceived. Not only can written or verbal messages/events frominfrastructure be passed through the Internet, but documents, soundrecordings, movies, and pictures can be transmitted by way of theInternet as well. As can be imagined, inboxes are being inundated withcountless items. The large volume can more than difficult to manageand/or organize for most users.

In particular, a few of the more common activities that a user performswith respect to email, for example, are: sorting of new messages/eventsfrom infrastructure, task management of using messages/events frominfrastructure that can serve as reminders, and retrieval of pastmessages/events from infrastructure. Retrieval of recent messages/eventsfrom infrastructure can be more common than older messages/events frominfrastructure. Traditional systems employed today support at least someaspect of these three activities using folders such as an inbox,task-oriented folders, and user-created folders, respectively. However,this as well as other existing approaches present several problems. Thefolders make stark divisions between the three activities which are notconducive or coincident with user behavior, in general. For example,tasks are not visible to the user, or rather are “out of sight, out ofmind”, and thus can be easily, if not frequently, neglected, overlooked,or forgotten. In addition, in many current systems any given message canonly be in one folder at a time. Hence, the particular message cannotserve multiple activities at once. Other current systems have attemptedto ease these problems; however, they fall short as well for similarreasons.

A user can communicate using one or more different messaging techniquesknown in the art: email, instant messaging, social network messaging,cellular phone messages/events from infrastructure, etc. Typically, theuser can accumulate a large collection of messages/events frominfrastructure using one or more of these different messagingtechniques. This user collection of messages/events from infrastructurecan be presented as a large collection of messages/events frominfrastructure with limited options of grouping or clustering themessages/events from infrastructure.

One way of grouping messages/events from infrastructure is to groupmultiple emails into an email thread. An email thread is a collection ofemails that are related based on the subjects of the emails. Forexample, one user sends an email to one or more users based on a givensubject. Another user replies to that email and a computer would markthose two emails as belonging to a thread. Another way for groupingmessages/events from infrastructure is put the messages/events frominfrastructure into folders. This can be done manually by the user orcan be done automatically by the user setting up rules for messageprocessing.

Document clustering and classification techniques can provide anoverview or identify a set of documents based upon certain criteria,which amplifies or detects certain patterns within its content. In someapplications these techniques lead to filtering unwanted email and inother applications they lead to effective search and storage strategies.An identification strategy may for example divide documents intoclusters so that the documents in a cluster are similar to one anotherand are less similar to documents in other clusters, based on asimilarity measurement. One refers to the process of clustering andclassification as labeling. In demanding applications labeling cangreatly improve the efficiency of an enterprise, especially for storageand retrieval applications, provided that it is stable, fast, efficient,and accurate.

Users of information technology must effectively deal with countlessunwanted emails, unwanted text messages/events from infrastructure andcrippling new viruses and worms every day. This largely unnecessarilyhigh volume of network traffic decreases worker productivity and slowsdown important network applications. One of the most serious problems intoday's digital economy has to do with the increasing volume of spam. Assuch, recipients of email as well as the service providers needeffective solutions to reduce its proliferation on the World Wide Web.However, as spam detection becomes more sophisticated, spammers inventnew methods to circumvent detection. For example, one prior artmethodology provides a centralized database for maintaining signaturesof documents having identified attributes against which emails arecompared, however, spammers now modify the content of their email eitherslightly or randomly such that the message itself may be intelligible,but it evades detection under various anti-spam filtering techniquescurrently employed.

At one time, at least 30 open relays dominated the world, burstingmessages/events from infrastructure at different rates and differentlevels of structural variation. Because certain types of email mutate orevolve, as exemplified by spam, spam-filtering detection algorithms mustconstantly adjust to be effective. In the case of spam email, forexample, the very nature of the spam corpus undergoes regime changes.Therefore, clustering optimality depends heavily on the nature of thedata corpus and the changes it undergoes.

Decomposing a traffic matrix has proven to be challenging. In onemethod, a matrix factorization system is used to extract applicationdependencies in an enterprise network, a cloud-based data center, andother like data centers, using a temporal global application trafficgraph dynamically constructed over time and spatial local trafficobserved at each server of the data center. The data center includes aplurality of servers running a plurality of different applications, suchas e-commerce and content delivery. Each of the applications has anumber of components such as a, web server, application server anddatabase server, in the application's dependency path, where one or moreof the components are shared with one or more of the other applications.

Because such data centers typically host a large number of multi-tierapplications, the applications requests are overlapped, both in thespatial and temporal domains, making it very difficult for conventionalpairwise statistical correlation techniques to correctly extract theseinterleaved but independent applications. A matrix-based representationof application traffic is used which captures both system snapshots andtheir historical evolution. The system and method decompose a matrixrepresentation of application graphs into small sub-graphs, eachrepresenting a single application.

The number of applications is usually unknown a priori due tointerleaving and overlapping application requests, which further imposesa challenge to discovery of the individual application sub-graphs. Inone prior method and system, the number of applications is determinedusing low rank matrix estimation either with singular valuedecomposition or power factorization-based solvers, under complete andincomplete traffic data scenarios, with theoretical bound guarantee.

Traffic tapping from switches is limited by the capability of switchesas well as the monitoring hosts. A switch typically can mirror only afew ports at the same time. In addition, monitoring data collected overmultiple switches, each with multiple ports may result in high-volumeaggregate network traffic and potentially packet loss. Both cases leadto significant loss in the monitoring data.

One system and method to overcome this problem utilizes historical datato provide redundancy and employs power factorization-based techniquesto provide resilience to data loss and estimation errors. In one systemand method, a distributed network monitors and centralizes dataprocessing to determine application dependency paths in a data center.

The majority of current service management solutions are rule based. Theconcept behind rule-based systems is that you start with the system youare monitoring, analyze and model it, turning it into a series ofbusiness logic rules that respond to events as they occur. For example,in response to some logged text, you apply logic that turns the textinto a database record to which you apply more logic that turns it intoan alert, before applying again more logic to connect the alert to atrouble ticket.

There is a need for a system with a plurality of lower tier levels eachcoupled to a top tier level, where a user of the top tier level can acton a lower tier level, but a user of a lower tier level can-not goacross other lower tier levels to make alterations.

SUMMARY

An object of the present invention is to provide a system withseparation and independent management of tiers in a system, allowingmulti-systems to interact with each other.

Another object of the present invention is to provide a system with dataseparation and scale.

A further object of the present invention is to provide a system withconsolidation of information from a space and an aggregation ofinformation from a lower tier level to a higher or a top tier level.

Yet another object of the present invention is to provide a system witha plurality of lower tier layers, each having a link to an upper or toptier level.

Another object of the present invention is to provide a system with aplurality of lower tier layers, where each lower tier layer is adiscrete operational area, and a top tier level that has access to allof the lower tier layers.

A further object of the present invention is to provide a system with aplurality of lower tier layers without cross-lower tier levelentanglement.

Still another object of the present invention is to provide a systemwith a plurality of lower tier levels each coupled to a top tier level,where a user of the top tier level can act on a lower tier level, but auser of a lower tier level can-not go across other lower tier levels tomake alterations.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 illustrates one embodiment of an event clustering system of thepresent invention.

FIG. 2 illustrates a token counter, text extraction and implementationof Shannon entropy in one embodiment of the present invention.

FIGS. 3(a) and 3(b) illustrate embodiments of dashboards that can beaccessed by users of the event clustering system.

FIG. 4 illustrates processing of alerts, and a matrix M, in oneembodiment of the present invention.

FIG. 5 illustrates an embodiment of a signalizer engine and the creationof alerts where member of cluster indicates common factors in oneembodiment of the present invention.

FIG. 6 illustrates k-mean decomposition, a created graph with graphcoordinates in one embodiment of the present invention.

FIG. 7 illustrates one embodiment of alert mapping and vector generationin one embodiment of the present invention.

FIG. 8 illustrates NMF decomposition in one embodiment of the presentinvention.

FIG. 9 illustrates the interaction of link access modules with a messagebus, algorithm engines, cluster creation and a situation room in oneembodiment of the present invention.

FIG. 10 illustrates one embodiment of a deduplication engine that can beused with the present invention.

FIG. 11 illustrates one embodiment of actions that can be takenfollowing event clustering generation.

FIG. 12 is a schematic diagram of a processing system according to anembodiment.

FIG. 13 is an example process that may be implemented using the systemsshown in FIG. 1.

FIG. 14 is an example software architecture diagram that may beimplemented using the systems shown in FIG. 1.

FIG. 15 is a screen display of a dashboard display system that may beused to configure a dashboard.

FIG. 16 is a screen display of the dashboard external interface screenthat may allow another software program to transmit data in the datarange.

FIG. 17 is a screen display that allows a user to choose a chart view inorder to display data in a graphical format.

FIG. 18 is an example screen display showing the data mapping feature ofthe dashboard configuration screen.

FIG. 19 is an example screen display showing the graphical display ofthe data using the dashboard configuration shown in FIGS. 4-7.

FIGS. 20 through 22 illustrate one embodiment of a mobile deviceinfrastructure that can be used with the clustering system of thepresent invention.

FIG. 23 is a block diagram illustrating a reporting engine in oneembodiment of the present invention.

FIG. 24 illustrates one embodiment of a flow diagram relative to areporting engine such as the one shown in FIG. 23.

FIG. 25 illustrates in a block diagram one embodiment of reportingengine metadata that can be used with the present invention.

FIG. 26 illustrates one embodiment of lower tiers coupled to an uppertier.

DETAILED DESCRIPTION

As used herein, the term engine refers to software, firmware, hardware,or other component that can be used to effectuate a purpose. The enginewill typically include software instructions that are stored innon-volatile memory (also referred to as secondary memory) and aprocessor with instructions to execute the software. When the softwareinstructions are executed, at least a subset of the softwareinstructions can be loaded into memory (also referred to as primarymemory) by a processor. The processor then executes the softwareinstructions in memory. The processor may be a shared processor, adedicated processor, or a combination of shared or dedicated processors.A typical program will include calls to hardware components (such as I/Odevices), which typically requires the execution of drivers. The driversmay or may not be considered part of the engine, but the distinction isnot critical.

As used herein, the term database is used broadly to include any knownor convenient means for storing data, whether centralized ordistributed, relational or otherwise.

As used herein a mobile device includes, but is not limited to, a cellphone, such as Apple's iPhone®, other portable electronic devices, suchas Apple's iPod Touches®, Apple's iPads®, and mobile devices based onGoogle's Android® operating system, and any other portable electronicdevice that includes software, firmware, hardware, or a combinationthereof that is capable of at least receiving a wireless signal,decoding if needed, and exchanging information with a server to send andreceive cultural information data including survey data. Typicalcomponents of mobile device may include but are not limited topersistent memories like flash ROM, random access memory like SRAM, acamera, a battery, LCD driver, a display, a cellular antenna, a speaker,a BLUETOOTH® circuit, and WIFI circuitry, where the persistent memorymay contain programs, applications, and/or an operating system for themobile device.

As used herein, the term “computer” is a general-purpose device that canbe programmed to carry out a finite set of arithmetic or logicaloperations. Since a sequence of operations can be readily changed, thecomputer can solve more than one kind of problem. A computer can includeof at least one processing element, typically a central processing unit(CPU) and some form of memory. The processing element carries outarithmetic and logic operations, and a sequencing and control unit thatcan change the order of operations based on stored information.Peripheral devices allow information to be retrieved from an externalsource, and the result of operations saved and retrieved. Computer alsoincludes a graphic display medium.

As used herein, the term “Internet” is a global system of interconnectedcomputer networks that use the standard Internet protocol suite (TCP/IP)to serve billions of users worldwide. It is a network of networks thatconsists of millions of private, public, academic, business, andgovernment networks, of local to global scope, that are linked by abroad array of electronic, wireless and optical networking technologies.The Internet carries an extensive range of information resources andservices, such as the inter-linked hypertext documents of the World WideWeb (WWW) and the infrastructure to support email. The communicationsinfrastructure of the Internet consists of its hardware components and asystem of software layers that control various aspects of thearchitecture.

As used herein, the term “extranet” is a computer network that allowscontrolled access from the outside. An extranet can be an extension ofan organization's intranet that is extended to users outside theorganization in isolation from all other Internet users. An extranet canbe an intranet mapped onto the public Internet or some othertransmission system not accessible to the general public, but managed bymore than one company's administrator(s). Examples of extranet-stylenetworks include but are not limited to:

-   -   LANs or WANs belonging to multiple organizations and        interconnected and accessed using remote dial-up    -   LANs or WANs belonging to multiple organizations and        interconnected and accessed using dedicated lines    -   Virtual private network (VPN) that is comprised of LANs or WANs        belonging to multiple organizations, and that extends usage to        remote users using special “tunneling” software that creates a        secure, usually encrypted network connection over public lines,        sometimes via an ISP.

As used herein, the term “Intranet” is a network that is owned by asingle organization that controls its security policies and networkmanagement. Examples of intranets include but are not limited to:

-   -   A LAN    -   A Wide-area network (WAN) that is comprised of a LAN that        extends usage to remote employees with dial-up access    -   A WAN that is comprised of interconnected LANs using dedicated        communication lines    -   A Virtual private network (VPN) that is comprised of a LAN or        WAN that extends usage to remote employees or networks using        special “tunneling” software that creates a secure, usually        encrypted connection over public lines, sometimes via an        Internet Service Provider (ISP).

For purposes of the present invention, the Internet, extranets andintranets collectively are referred to as (“Network Systems”).

For purposes of the present invention, the term “Infrastructure” means,information technology, the physical hardware used to interconnectcomputers and users, transmission media, including telephone lines,cable television lines, and satellites and antennas, and also therouters, aggregators, repeaters, computers, network devices,applications, and other devices that control transmission paths,software used to send, receive, and manage the signals that aretransmitted, and everything, both hardware and software, that supportsthe flow and processing of information.

As used herein, “event message” or “event” is defined as a change instate. An event is anything that happens, or is contemplated ashappening in message form or event form relating to infrastructure. Anevent can include a time stamp, and a name for the entity changingstate.

Referring to FIG. 1, a system 10 is provided for clustering eventsreceived from an infrastructure 14.

In one embodiment the system 10 is an event clustering system 10 thatincludes an extraction engine 12 in communication with an infrastructure14. As a non-limiting example, infrastructure 14 includes, computers,network devices, appliances, mobile devices, applications, connectionsof any of the preceding, text or numerical values from which those textor numerical values indicate a state of any hardware or softwarecomponent of the infrastructure 14. The infrastructure 14 generates datathat includes attributes. As a non-limiting example, the data isselected from at least one of, time, source a description of the event,textural or numerical values indicating a state of the infrastructure14. The extraction engine 12 breaks event messages into subsets ofmessages that relate to failures or errors in the infrastructure 14. Thesubsets of messages can be grouped into clusters.

In one embodiment, the extraction engine 12 includes a server. Theextraction engine 12 extracts text components from the event messagesand converts them into words and subtexts. The extraction engine 12 thenreformats data from the event messages to create reformatted data. Inone embodiment, the reformatted data is received at a system bus.

In one embodiment the events are converted into words and subsets togroup the events into clusters that relate to security of the managedinfrastructure. In response to grouping the events, physical changes aremade to at least a portion of the physical hardware. In response to theproduction of the clusters security of the managed infrastructure ismaintained.

In one embodiment security includes at least one of managedinfrastructure: breach, intrusion or propagation. In one embodimentsecurity includes managed infrastructure: access control, intrusiondetection and threat propagation. As non-limiting examples securityincludes at least one of: authentication of a subject; authorization tothe managed infrastructure of a subject; authorization that specifieswhat a subject can do relative to the managed infrastructure; audit;identification and authentication to ensure that only authorizedsubjects can access the managed infrastructure; and access approvalgrants to the managed infrastructure by association of users withresources that they are allowed to access, based on an authorizationpolicy.

The extraction engine 12 receives infrastructure 14 data and producesclustering events and populates a database 16 with a dictionary of evententropy. This can be achieved with a token counter as illustrated inFIG. 2. As a non-limiting example, the database 16 can be a no-SQLrelational database 16. In one embodiment, an entropy database 16 isgenerated with the word and subtexts. As a non-limiting example, theentropy database is generated using Shannon Entropy, −ln(1/NGen) andnormalizes the words and subtexts as follows:

−ΣP·(t)log P(t)

where,

P(t,)=probability of each item is selected randomly from an entiredataset.

An entropy database can be provided. In one embodiment, the entropynormalizes clustering events across data, datasets, from theinfrastructure 14. As a non-limiting example, normalized entropy forclustering events is mapped from a common, 0.0 and a non-common, 1.0, asdiscussed hereafter. Entropy is assigned to the alerts. The entropy foreach event is retrieved from an entropy dictionary, as it enters thesystem 10. This can be done continuously in parallel with otheroperation of the extraction engine 12 or run non-continuously.

In one embodiment, illustrated in FIGS. 3(a) and 3(b) a dashboard 18,associated with a situational room, is included which allows entitiesand/or people to manipulate messages/clustering events frominfrastructure, alerts or clustering events.

An alert engine 20 receives the clustering events and creates alertsthat are mapped into a matrix “M” of clustering events, as illustratedin FIG. 4 and as more fully explained hereafter. As a non-limitingexample, M_(ik) is the matrix of clustering events.

A sigalizer engine 22 includes a plurality of engines as illustrated inFIG. 5. As non-limiting examples, an NMF engine 24, a k-means clusteringengine 26 and a topology proximity engine 28 are provided. Eachsignalizer engine 22 includes a processor and an arithmetic logic unit“ALU”. Examples of suitable ALUs are found in EP 0171190 and EP 0271255,fully incorporated herein by reference. In one embodiment, the sigalizerengine 22 determines one or more steps from clustering events andproduces clusters relating to the alerts and or clustering events.

The sigalizer engine 22 determines sigalizer common steps to ascertainhow many clusters to extract from clustering events. Membership in acluster indicates a common factor, which can be a failure or anactionable problem in the infrastructure 14. The sigalizer engine 22generates clusters of alerts. In one embodiment, an independent failurecount detection engine 29 is used for the production of common stepsdesignated as “k” from clustering events. The independent failure countdetection engine 29 can use SVD decomposition. The SVD decomposition isa continuation of a determination of sigalizer 22 common steps.

K is the number obtained from the common sigalizer steps. As anon-limiting example, common sigalizer steps are designated as where iare unique clustering events and are the rows of M, j represents thetime buckets in M. A value for M_(ij) equals the number of occurrencesof event i in time bucket j. This is the common input to the sigalizerengines 22.

The topology proximity 28 creates a graph coordinate system, FIG. 6. Inone embodiment the topology proximity 28 uses a source address for eachevent to assign a graph coordinate 30 of a graph 32, with nodes, to theevent with an optional subset of attributes being extracted for eachevent and turned into a vector. The topology proximity engine 28executes a graph topology and proximity algorithm.

M_(ik) undergoes K-means decomposition, FIG. 7. Each event is atransformed vector, where (V_(o) is transformed time stamp, V_(i),-V_(n)and so forth are transformed graph coordinates 30) are grouped into kclusters such that d(V_(i), V₂,) is minimized. In one embodiment, thetopology engine 28 inputs a list of devices and a list of hops, wherehop is a connection between components or nodes in the infrastructure14.

As a non-limiting example, the graph 32 can be constructed of any numberof points or nodes: A, B, C, and D, which relate to the source of anevent. The result is a connecting graph 32, FIG. 6.

The topology proximity engine 28 receives the coordinate's mapping, andclusters are generated. V base nodes calculate a minimum hop to everyother node which gives coordinate and the graph coordinates 30 aremapped.

In one embodiment, the k-means clustering engine 26 uses the graphcoordinates 30 to cluster the clustering events using a k-meansalgorithm to determine hop proximity of the source of the event.

M,k is processed by the sigalizer engine 22. M_(ab) is transformed toA_(ak)

B_(kb), where a equals rows, and b equals columns, x defines the normaloperation of matrix multiplication. M is the matrix as stated above, andk is as recited above.

The NMF algorithm produces two matrices, A and B, FIG. 8. A representsby cluster (a common failure) and B represents time bucket by cluster (acommon failure). In one embodiment, the NMF engine 24 factors the matrixM into A and B, where A are deemed to be significant and are extracted,e.g., clusters deemed significant are extracted. The system 10 looks forsignificantly high values as compared to statistically significantvalues in the A and B matrix. If they are not statistically significant,they are dropped. The statistically significant elements of M are usedto determine a cluster. As a non-liming example, the determination ofsignificance is based on high signatures in the matrix. As above, thosethat are not high enough are dropped and not included in the output ofclusters which is produced.

Each alert is mapped to a vector, V₀-V_(n), where V_(o) is a time stampt; V_(i) is an attribute of alert. In one embodiment, attributes of anevent are mapped to a vector V.

The vectors are grouped into k clusters using k-means such that d(V_(i),V₂,) is a minimum in its own cluster.

In one embodiment the grouping is executed also using a standardEuclidian distance. In one embodiment, a weighting of components issupplied. The system 10 transforms the alert attributes into a numbervalue that is used as the components of the vector. As a non-limitingexample, an alert attribute is a textual value. In one embodiment,similar attributes are mapped to numbers that are also similar or closerelative to the graph, with the closeness being dynamic and can bepredetermined, changed, modified, set, and the like.

In one embodiment of the matrix, M, columns are slices in time and therows are unique alerts. A unique alert is received from thededuplication engine which eliminates duplications and creates uniquealerts.

In one embodiment, the matrix, M is created with alert/time and a fixednumber of common alerts. The matrix M can be dynamic and change in time.The matrix M includes rows that can be unique alerts. The matrixincludes columns that are time buckets, and a number of occurrences areplotted.

Evaluated clustering events are either discarded or passed to clusterswith alerts are collected into time buckets and mapped in the matrix M.In one embodiment, a bucket width is a parameter that can be an input tothe signalizer engine 22.

Outputs from the sigalizer engines 22 are received at a compare andmerge engine 34. The compare and merge engine 34 communicate with one ormore user interfaces 36 in the situation room 18, FIG. 9. The threesigalizer algorithms are used with the comparison or merger engine 34and clusters are published on a system bus 38 for display in thesituation room 18.

As a non-limiting example, the bus 38 can be a publication message bus.As a non-limiting example, the bus 38 processes anything that goes fromA to B, and from B to A. In one embodiment, a data bus web server iscoupled to user interfaces as illustrated in.

As illustrated in FIG. 9, a plurality of link access modules 40 are incommunication with the data bus 38 and receive messages/clusteringevents. Events are received by a coordinator 42 that executes clusteringof the clustering events.

In one embodiment, normalized words and subtexts are mapped to a common,0.0 and a non-common, 1.0, as illustrated in FIG. 2.

The alerts can be run in parallel with the activities of the system 10.The alerts are passed to the sigalizer engine 22, FIG. 5.

In one embodiment, a deduplication engine 44 is used for event messagesof data streams received from the client, FIG. 10. The deduplicationengine 44 eliminates duplicate copies of repeating data. In oneembodiment, the deduplication engine reduces a number of bytes innetwork data transfers that need to be sent.

A computer scripting language script language can be included thatalters the clustering events or flow of clustering events. Asnon-limiting examples, the scripting language can be, Java, C, C++, C #,Objective-C, PHP, VB, Python, Pearl, Ruby, JavaScript and the like.

In one embodiment, the NMF, k-means, and/or topology proximityalgorithms are optionally repeated. The repeating can be performed byvarying k from the previously performed common steps in the sigalizerengine 22, and optionally along with the SVD decomposition.

Optionally, generated clusters are tested against a quality functionsupplied by the system 10 which evaluates a cluster's uniformity. In oneembodiment, the system 10 selects a best set clusters against thequality clusters.

As a non-limiting example, clusters are examiner against a customersupplied configuration database for each source of an event. As anon-limiting example, the examining can be performed to determine: atype of device; impacted users; relevant support experts, and the like,FIG. 11.

Example 1

As a non-limiting example, the NMF algorithm can be executed as follows:

-   -   Let M_(ij) by a n×p non-negative matrix, (i.e., with M>0, and        k>0 an integer).    -   Non-negative Matrix Factorization (NMF) consists in finding an        approximation

X=WH(A B),  (1)

where W, H are n k and k p non-negative matrices, respectively. Inpractice, the factorization rank r is often chosen such that r<<min(n,p) but is determined.

The main approach to NMF is to estimate matrices W and H as a localminimum: 1)

M=A B

A, B seed randomly tentatively adjusts A, B until the Frobenius distance∥M−A B∥ is minimized

where

D is a loss function that measures the quality of the approximation.Common loss functions are based on either the Frobenius distance or theKullback-Leibler divergence.

R is an optional regularization function, defined to enforce desirableproperties on matrices W and H, such as smoothness or sparsity.

Example 2

As a non-limiting example, a k-means algorithm is used as follows: Givena set of event vectors (x₁, x₂, . . . , x_(n)), where each observationis a d-dimensional real vector, k-means clustering aims to partition then observations into k sets (k≤n) S={S₁, S₂, . . . , S_(k)} so as tominimize the within-cluster sum of squares (WCSS):

$\underset{S}{\arg \; \min}{\sum\limits_{i = 1}^{k}\; {\sum\limits_{x_{j} \in S_{i}}\; {{x_{j} - \mu_{i}}}^{2}}}$

where μ_(i) is the mean of points in S_(i).

In one embodiment of the situation room 18, as illustrated in FIG. 1, asystem 110 is provided for creating, and displaying in a dashboarddirected to the system 10 from clustering messages received from theinfrastructure 14, also known as the dashboard system for the situationroom 18.

In one embodiment, the situation room 18 has a display that can beinteractive. The situation room 18 can be coupled to or includes adashboard design system 112, display computer system 114, and a datasystem 116.

In one embodiment, the system includes dashboard converter logic 118,data range determination logic 132, dashboard component generator 122,external interface logic 124, graphic library 126, and network interfacelogic 128. In one embodiment, the system includes data processingcomputing systems.

In one embodiment, the dashboard file converter logic 118 converts thesituations and alerts from system 10 from clustering messages receivedfrom the infrastructure 14 data structures and data, to be compatiblewith or match with the interface logic 124.

In one embodiment, the logic 118 provides communication between thegraphical dashboard and the problem walls from clustering messagesreceived from the infrastructure 14

The problem walls from clustering messages received from theinfrastructure 14 are provided as disclosed above.

In one embodiment, the logic 132, dashboard component generator 122 andthe external interface logic 124 are each used for designing the problemwalls from clustering messages received from the infrastructure 14.

A dashboard or SWF file can be included that establishes a data range,type of components and the external interface. In one embodiment, thelogic 132 is used for a data range in a spreadsheet associated with thedashboard file used to generate a visual display.

In one embodiment, a dashboard component generator 122 is provided thatallows a user to place problem walls from clustering messages receivedfrom the infrastructure 14 components with various attributes onto acanvas. The canvas can be a space where various visual components are.

In one embodiment, the user is able to choose components directed toproblem walls from clustering messages received from infrastructure 14elements from a different component. These can be included in a paneland the user can then place them on the canvas in any way that the userdesires.

In one embodiment, the components are provided by the client, by thesystem, by third parties, and from third parties. Examples of othercomponents include but are not limited to, graphs, style ofpresentation, additional information, comparisons, trends, artisticelements, text, and the like. In some embodiments, the user, or clientcan select the background, margins, presentation of elements and thelike.

In one embodiment, an external interface logic 124 is provided. Theinterface logic allows a dashboard to provide data ranges, permutations,trends, activities, and the like associated with problem walls fromclustering messages received from the infrastructure 14. In oneembodiment, interface logic 124 allows the business application softwareto export application data to be displayed in a dashboard in aninteractive visual format.

In various embodiments, a network interface logic 128 and 130 allows forconnectivity of the dashboard design system 112, display computer system114 and data system 116 to each other, or to public networks. In oneembodiment, a graphical file that has been configured by the computersystem 112 is stored in the data storage system 136. In one embodiment,the graphic file is used for data mapping, both during and after designtime, and can generate the display during a period of execution. Theexternal adapter can be utilized for communication between the datastorage system 136 and the graphical file.

In one embodiment, network interface logics 128 and 130 allow computersystems 112, 114 and 116 to connect to each other and the other computersystems. As a non-limiting example, the network interface logic 128 and130 can be one or more computers or web servers that provide a graphicaluser interface for clients or third parties that access the subsystemsof system 112, 114 or 116 through the internet or an intranet protocol.The network interface logic 128, and 130 can include other logicsconfigured to provide interfaces for other types of devices, includingbut not limited to mobile devices, server-based computing systems, andthe like.

As a non-limiting example, in one embodiment, the display computersystem 114 includes, network interface logic 130, context viewer system138, data storage system 136 and dashboard display system 140.

In another embodiment, the dashboard display system 140 is included inthe context viewer system 138, and be executed in a machine, one or moredisplay and other computers, with machine-readable storage media, cache,memory, flash drive or internal or external hard drive or in a cloudcomputing environment, non-transitory computer readable media ornon-transmissible computer-readable media, with stored instructionsexecuted by the machine to perform the operations. In one embodiment,the context viewer system 138 is a program product that performs variousprocessing functions. As non-limiting examples, these functions caninclude, receiving data from the data source, preparing data byaggregating, providing access to visualization capabilities, and thelike.

In one embodiment, the data storage system 136 stores data related toproblem walls from clustering messages received from the infrastructure14 applications executed on the display computer system 114.

In one embodiment, the data storage system 136 stores problem walls fromclustering messages received from the infrastructure 14 data orstatistical data. As a non-limiting example, the dashboard displaysystem 140 communicates with the display computer system 114 to displayproblem walls from clustering messages received from infrastructure 14data in a dashboard in a visual manner or in visual components usinggraphics. Displaying problem walls from clustering messages receivedfrom infrastructure 14 data graphically may include displaying bargraphs and/or pie charts or other visual displays. In order to generatethe dashboard display, the client can map dashboard data fields to theproblem walls from clustering messages received from infrastructure 14data fields. This allows access of data from problem walls fromclustering messages received from infrastructure 14 without datareplication.

Embodiments of the data storage system 136 may store a variety ofinformation including application data in database 130. The applicationdata database 130 may receive data from the data system 116. The datastorage system 136 may provide data to the context viewer system 138.More specifically, the data storage system 136 may provide data to thedata aggregation logic 142. The data storage system 136 may receiveappropriate data mapping instructions from the data mapping logic 144and query the data system 116 to correlate the data from one mappedfield in the dashboard tool to the mapped fields in the application data146.

Embodiments of the dashboard display system 140 may be provided on thedisplay computer system 114. In an example embodiment, the dashboarddisplay system 140 may transfer data from various data sources or datafrom various applications to external data ranges of the graphic fileand display the graphical interface during runtime operations. Thedashboard display system 140 may include all of the features discussedabove with regard to the dashboard design system 112. Also, thedashboard display system 140 also includes a dashboard execution logic148 and external interface logic 150. The external interface logic 150may have similar features as the external interface logic 124 of thedashboard design system 112. The external interface logic 150 may exposeselected data ranges of the dashboard to the business software data. Theexternal interface logic 150 may allow the business application softwareto export application data to be displayed in the dashboard in a visualformat instead of a textual format. During runtime when displaying thedashboard in the business application, the dashboard execution logic 148is configured to receive the data from the business application andgenerate a Flash Island interactive display as designed by the dashboarddesign system 112 or dashboard display system 140.

The data system 116 includes an application logic 152 and applicationdata 146. The data system 116 may be configured to provide data andcommunicate with the display computer system 114. The application logic152 is the server side of the application that provides back endinformation to the context viewer system 138. For example, theapplication logic 152 may comprise an Enterprise Resource Planning(ERP), Customer Relation Management (CRM) or Business Intelligence (BI)system. Business intelligence may refer to computer-based techniquesused to analyze business data, such as sales revenue by products and/ordepartments or associated costs and incomes. The application data 146may include relational or other types of databases. The application data146 includes various fields that may be mapped to the fields exposed bythe external dashboard interface.

FIG. 13 is an example process that may be implemented using the systemshown in FIG. 12. Initially, at step 154, in an example embodiment adashboard design user may build a dashboard using a dashboard buildingsoftware. The dashboard design user may configure the dashboard duringdesign time. In an example embodiment, design time may include thedesign user configuring the dashboard layout and exposing a related datarange. The dashboard design system 112 may be used to create a dashboardlayout. Building the dashboard includes placing components on the canvasand configuring the properties associated with those components. Asdiscussed above, the components may be among other components, a chartor graph. At step 156, the dashboard design user may determine andspecify using a graphical user interface the data ranges for thedashboard. After creating the dashboard, at step 158, the dashboard maybe exported automatically or by input from the dashboard design user toa SWF file format. Steps 154, 156 and 158 may be performed by thedashboard design user using the dashboard configuration system 112.

A business user may perform the other steps of FIG. 13 by using thedisplay computer system 114. In an example embodiment, the businessuser's steps may be performed during runtime. In this embodiment,runtime includes displaying of the dashboard in a business applicationusing data from business application data sources. In anotherembodiment, the business user may perform the steps described above withregard to the dashboard design user. At step 160, the business user mayopen the context viewer system where the business user may select achart view 198 as shown in FIG. 17. In the chart view tab, the businessuser may assign the dashboard or SWF® file to a query view by specifyingthe location of the file. At step 162, the dashboard data ranges thatwere determined at step 156 may be mapped to query view fields. In anexample embodiment, the data from the data source 136 (or 116) is placedin the mapped location in the dashboard. In another example embodiment,the mapping between application data and graphical interface data mayidentify which application data may be shown in the reserved placeholderof the dashboard. After mapping the data ranges, at step 164 thedashboard may be displayed in the business application. In oneembodiment the business application may be software applications thatprovide various functionalities such as, customer relationshipmanagement, enterprise resource management, product lifecyclemanagement, supply chain management and supplier relationshipmanagement. In another embodiment, the dashboard may be configured toreceive data from the data system 116 after the mapping has occurred orthe data may be accessed during runtime.

FIG. 14 is an example software architecture that may be implementedusing the system in FIG. 12. The software architecture diagram shown inFIG. 14, shows various software layers, such as, graphic player 166,component Dynamic HTML or Java® Script 168, and Server (Java® or Java®based or other high-level programming language based) 170 layers. Inparticular, the generic adapter 172 may be built with the Flash Islandlibrary, which may facilitate the client-side communication between HTMLand JavaScript® The Dynamic HTML 168 may load the generated dashboard ina graphic file, or Flash/SWF representation. The generic adapter 172 mayconvert the Java® context into structures that match the dashboard'sexternal interface format or the dashboard format. The generic adapter172 allows the business user to generate a dashboard in a businessanalytic software using the most updated data from a data source withoutwriting any customized software. The generic adapter 172 may loaddashboard data ranges and convert the associated data into an XML®string that may be used for further conversion into an ABAP® string,which may be used by the business analytic software.

In another embodiment, the generic adapter 172 may convert the FlashIsland properties into dashboard structures. In an example embodiment,the generic adapter 172 may be used to load external dashboard rangesduring the configuration stage, at step 162. In this embodiment, thegeneric adapter 172 may push application data to the data ranges definedin step 162. In another embodiment, the generic adapter 172 may providean application programming interface between the graphic player 166 andthe server 170. The generic adapter 172 may load dashboard rangesautomatically and the dashboard data ranges may be converted into XMLstrings. The XML string may be converted into Java® or ABAP® code whichmay be executed by the business application 174, to display a dashboard.The server 170 may include NetWeaver®, ABAP® or Java® languageprogramming and the server may include various systems that aresupported in the business software suit, the runtime 382, application174, database 176 and business intelligence application 178. In anotherembodiment, the functionality of the server 170 may be implemented bythe display computing system 114. In yet another embodiment thefunctionality of server 170 may be divided between the display computingsystem 114 and data system 116. In another embodiment, the graphicplayer 166 may be implemented on the dashboard design system 112.Additionally, or alternatively, the functionality of the graphic player166 may be implemented on the display computing system 114.

FIG. 15 shows a screen display 180 of the dashboard designer that may beused to design a dashboard display according to the system shown in FIG.12. The dashboard designer may be executed by the dashboard designsystem 112. The dashboard may be created on the canvas 182. A dashboarddesign user may place the components from the component panel on thecanvas 182. As shown in FIG. 15, the canvas 182 has a bar graph 184 anda pie chart 186 that are displayed in this example dashboard. Thedashboard 180 shown in FIG. 15 is using example data from thespreadsheet shown at the bottom of FIG. 15. For example, the labels ofthe bar graph “Incorrect labeling”, “Wrong component” and “Materialdefects” are from the spreadsheet shown below. In particular, the cellrange from B4 to D5 440 was selected as input into the properties of thebar graph and the pie chart. Next, the data in the bar graph and the piechart is received from cell range B5 to D5. In order to generate thisdashboard, the dashboard design user may associate various data fieldswith particular component properties.

FIG. 16 is a screen display of the dashboard external interface that canpermit another software program to access the dashboard controls anddisplay. The external interface connection 188 may allow data from theapplication system to be passed to a cell range of the dashboard or SWFfile, using push technology. During the execution of the dashboard orruntime, data may be pushed or sent from the data source, based on themapping, to the dashboard. In this embodiment, the data may betransferred in tabular form across an interface. In another embodimentthe external interface connection 188 may allow the use of pulltechnology, where the data is pulled by the context viewer system 138.In another embodiment, during the configuration of the dashboard whenthe “Generate XC Fields” button is clicked, the defined data ranges willbe pulled to the system 150, for example in FIG. 16. The externalinterface connection 188 may be configured using a definition tab 190,range name 192, range type, range 194 and access type properties.External interface connections allow a dashboard design user to exposeselected data ranges relating to the dashboard display. The range name192 in FIG. 16 is shown as Labels and the range 194 being assigned,“Table 1 !$B$4:$D$4” which is the cell range from B4 to D4. In thisexample embodiment, the labels from B4 to D4 will be used for mappingthe Labels field. After specifying the data range, the dashboard designuser may export the dashboard as a file, the file may be executed byvarious software program including business software.

FIG. 17 is a screen display that allows a user to choose a chart view inorder to display a dashboard. In particular, the query view 196 is partof the context viewer application and includes various data types from abusiness analytics database. If the user chooses to view a chart, theuser may select the chart view 198. After a user selects the chart view198 then the user may be presented with a screen shown in FIG. 18.

FIG. 18 is an example screen display showing the data mapping for thedashboard configuration screen. Screen 210 shows a user interface wherethe user may select (using a pull-down menu) the type of technology 212the user plans to use for the chart view display. Here, the user mayselect the type of dashboard file that was created as the technology.Next, the file path 214 of the exported dashboard or SWF file may bespecified. After choosing a SWF file, the user may select the “Uploadfile to repository” button 730 in order to save a graphic file (SWFfile) in the system 138. After selecting button 740 “Generate XCFields”, may be the name of the dashboard external data ranges (e.g.“Damages” and “Labels” in FIG. 16). In the mapping shown in FIG. 18, theuser may enter or browse for the name of data source (Query ID). Forexample, the Query ID shown in this example is “ZOK_QN”. This entry ismapped against the data source that may be stored in the applicationdata 146. The user may search for the Query Field ID, which is aspecific field of data source Query ID (e.g. field “CODE TEXT” of QueryID “ZOK_QN” in the provided example). Creating this mapping allows thedashboard to utilize the data in the application data 146 or 130. As canbe appreciated that programming in a textual or visual manner is notrequired and the user may create the dashboard, export the dashboard,map the fields and display the dashboard as shown in FIG. 19 using agraphical user interface that responds to a pointing device (e.g. mouse,pen or display device that is sensitive to touch or ocular movement).

FIG. 19 is an example screen display showing the graphical display ofthe data using the dashboard configuration from FIGS. 15-18. FIG. 19shows a dashboard 216 that includes the bar graph 218 and pie chart 220.The labels and the value data in the bar and the pie charts 218 and 220are from the business software and are different than the data used inFIG. 15. Therefore, the user can create a display of a dashboard inanother application by using an external connection that may expose datafields to permit the visualization of any type of data.

The embodiments refer to a dashboard that may be a web-based or othertechnology-based display on which real time data is collated, processedand displayed from multiple data sources that belong to one or morebusinesses. Other terms that may be used to describe a dashboard,include, digital dashboard, enterprise dashboard, business dashboard,executive dashboard, operational dashboard, BI dashboard, databasedashboard, Web dashboard, performance dashboard, score card, KPIdashboard, metrics dashboard and so on. Dashboards may be designed tohelp any user monitor what's happening or has happened in the pastvisually or at a glance. Dashboards may provide the user a means torapidly monitor the current status. Accordingly, dashboards must bedesigned to take advantage of the strengths of visual perception,cognition and work around or augment the user's weaknesses.

Embodiments can include a system for displaying data stored on computerreadable non-transitory media. The system configured to access one ormore data fields within a file. The file having been configured using anexternal connection adapter. The system may include a display computersystem configured to map the accessed one or more data fields to datafrom one or more data sources, the mapping being performed based on auser input via a graphical user interface. In this embodiment, thesystem may be configured to display on the display computer system adashboard according to the configuration setting stored in the file, thedashboard may show a graphical representation of the data from the oneor more data sources and information from the one or more data fields.

In another embodiment, the dashboard includes dashboard display systemthat processes the data from the one or more data sources and displays avisual representation of the data in a graph or chart form.Alternatively, or additionally, the dashboard includes a component thatis modified by using a graphical user interface such that the dashboarddisplay or components are modified.

In another embodiment, the file is generated by a first software programlocated in the dashboard design system that is configured to generatethe dashboard. The display computing system may further compriseexecuting a second software program on the display computer system toretrieve the data from the one or more data sources and displaying thedashboard. The display computing system may include converting, using ageneric adapter, the data from the one or more data sources into datastructures that are compatible with a format of the graphic file.

In another embodiment the data is converted from the one or more datasources into data structures that are compatible with a format of thefile using the external connection adapter. The file can be a short webformat file that exposes one or more data fields that may be mapped tofields in one or more data sources. In another embodiment, the mappingmay occur via a graphical user interface free of receiving textualprogramming code from the user.

In another embodiment, a computer-implemented method is stored on acomputer readable media. Visualization software is integrated with adata processing application that includes configuring a dashboarddisplay using a dashboard design system. The dashboard display can useone or more first data ranges from a spreadsheet as example data. Anexternal connection adapter can be used to provide access to one or morefirst data ranges that are to be displayed in the dashboard display.

In other embodiments, the dashboard display is exported in a graphicfile format. In certain embodiments, one or more first data ranges areaccessed from the dashboard display using a display computing system. Inone embodiment, one or more first data ranges are connected to one ormore second data ranges from one or more data sources. The dashboard candisplay using data from the one or more second data ranges.

In one embodiment, the dashboard displays with the problem walls fromclustering messages received from infrastructure 14 data can use agraphical user interface that is free from receiving textual or textualprogramming code from the client. In this embodiment the method mayinclude processing place problem walls from clustering messages receivedfrom managed infrastructure 14 from the one or more data sources anddisplaying a visual representation of the data in a graph or chart form.This can include a method that includes a component that may be modifiedby using a graphical user interface that results in a modification ofthe dashboard display.

In one embodiment, a method is provided that includes a dashboarddisplay generated by a first software program that generates a visualdisplay. This can include, executing a second software program on thedisplay computer system to retrieve the data from the one or more datasources and displaying the dashboard and the method may includeconverting, using a generic adapter, the data from the one or more datasources into data structures that are compatible with a format of thefile.

In one embodiment, the exporting can include converting the placeproblem walls from clustering messages received from infrastructure 14data from the one or more second data sources into data structures thatare compatible with the graphic file format. In one embodiment, this caninclude converting using an external interface adapter. A graphic fileformat can be a short web format that allows a software to access theone or more first data ranges.

In another embodiment, a user interface system has an externalconnection adapter configured to provide access to one or more datafields within a file. As a non-limiting example, this can include adisplay computer system that maps using a graphical user interface theone or more data fields to data from one or more data sources. Thedisplay computer system can generate a dashboard display from aconfiguration in the file. In one embodiment, the display includes placeproblem walls from clustering messages received from infrastructure 14data from one or more data sources and information from one or more datafields. A graphical user interface can be provided that is free ofreceiving textual programming code from the user.

In one embodiment, a first software executed on a display computersystem that generates the dashboard in a visual graphic display. Asecond software program can be included to execute on the displaycomputer system and retrieve the data from the one or more data sourcesand display the dashboard display. A generic adapter can be utilized toconvert the data from the one or more data sources into one or more datastructures that are compatible with a format of the file.

In one embodiment, a graphical user interface can modify a component andthis can be used to modify the dashboard display.

In one embodiment, an external connection adapter converts the data fromthe one or more data sources into data structures that are compatiblewith a format of the file using the external connection adapter.

The logics can be machine-readable media for carrying or havemachine-executable instructions or data structures stored thereon. Themachine-readable media can be any available media that may be accessedby a general purpose or special purpose computer or other machine with aprocessor. As a non-limiting example, a variety of machine-readablemedia can be utilized, including but not limited to: RAM, ROM, EPROM,EEPROM, CD-ROM or other optical disk storage, magnetic disk storage orother magnetic storage devices, non-transitory computer readable mediaor non-transmissible computer-readable media or any other medium whichmay be used to carry or store desired program code in the form ofmachine-executable instructions or data structures and which may beaccessed by a general purpose or special purpose computer or othermachine with a processor. With the dashboard system, any such type ofconnection is termed a machine-readable medium. It will be appreciatedthat the machine-readable medium can include combinations of thepreceding.

As non-limiting examples, with the dashboard system, machine-executableinstructions can be: instructions and data which cause a general-purposecomputer, special purpose computer, or special purpose processingmachines to perform a certain function or group of functions, and thelike.

The dashboard system can be implemented by a program product includingmachine-executable instructions, such as program code. As a non-limitingexample, this can be program modules executed by machines in networkedenvironments. As non-limiting examples, the program modules can includeroutines, programs, objects, components, data structures, and the like,that perform particular tasks or implement particular abstract datatypes. As non-limiting examples the dashboard system can utilize,machine-executable instructions, associated data structures, and programmodules as program code for executing steps of the methods disclosedherein.

As non-limiting examples, the dashboard system can be executed in anetworked environment using logical connections to one or more remotecomputers having processors. AS non-limiting examples, suitable networkcomputing environments can be, computers, including personal computers,mobile devices, multi-processor systems, microprocessor-based orprogrammable consumer electronics, network PCs, minicomputers, mainframecomputers, and the like.

In certain embodiments, the dashboard system can be executed indistributed computing environments where tasks are performed by localand remote processing devices that are linked. As non-limiting examples,the linking can be by, hardwired links, wireless links, combination ofhardwired or wireless links, and the like, through a communicationsnetwork. In one embodiment, computing environment, program modules maybe located in both local and remote memory storage devices.

As a non-limiting example, one embodiment of a system for implementingthe overall system or portions of the embodiments can include ageneral-purpose computing computer in the form of computers, including aprocessing unit, a system memory or database, and a system bus thatcouples various system components including the system memory to theprocessing unit. The database or system memory cam include read onlymemory (ROM) and random-access memory (RAM).

As a non-limiting example, the database can be a magnetic hard diskdrive for reading from and writing to a magnetic hard disk, a magneticdisk drive for reading from or writing to a removable magnetic disk, andan optical disk drive for reading from or writing to a removable opticaldisk such as a CD ROM or other optical media, and the like.

As a non-limiting example, the drives and their associatedmachine-readable media can be used to provide nonvolatile storage ofmachine-executable instructions, data structures, program modules andother data for the computer. It should also be noted that the word“terminal” as used herein is intended to encompass computer input andoutput devices. User interfaces, as described herein may include acomputer with monitor, keyboard, a keypad, a mouse, joystick or otherinput devices performing a similar function.

Referring now to FIGS. 20 through 22, diagrams are provided illustratingembodiments of a mobile or computing device that can be used asinfrastructure 14 with system 10.

Referring to FIGS. 20-22, the mobile or computing device can include adisplay that can be a touch sensitive display. The touch-sensitivedisplay is sometimes called a “touch screen” for convenience, and mayalso be known as or called a touch-sensitive display system. The mobileor computing device may include a memory (which may include one or morecomputer readable storage mediums), a memory controller, one or moreprocessing units (CPU's), a peripherals interface, Network Systemscircuitry, including but not limited to RF circuitry, audio circuitry, aspeaker, a microphone, an input/output (I/O) subsystem, other input orcontrol devices, and an external port. The mobile or computing devicemay include one or more optical sensors. These components maycommunicate over one or more communication buses or signal lines.

It should be appreciated that the mobile or computing device is only oneexample of a portable multifunction mobile or computing device, and thatthe mobile or computing device may have more or fewer components thanshown, may combine two or more components, or a may have a differentconfiguration or arrangement of the components. The various componentsshown in FIG. 21 may be implemented in hardware, software or acombination of hardware and software, including one or more signalprocessing and/or application specific integrated circuits.

Memory may include high-speed random-access memory and may also includenon-volatile memory, such as one or more magnetic disk storage devices,flash memory devices, or other non-volatile solid-state memory devices.Access to memory by other components of the mobile or computing device,such as the CPU and the peripherals interface, may be controlled by thememory controller.

The peripherals interface couples the input and output peripherals ofthe device to the CPU and memory. The one or more processors run orexecute various software programs and/or sets of instructions stored inmemory to perform various functions for the mobile or computing deviceand to process data.

In some embodiments, the peripherals interface, the CPU, and the memorycontroller may be implemented on a single chip, such as a chip. In someother embodiments, they may be implemented on separate chips.

The Network System circuitry receives and sends signals, including butnot limited to RF, also called electromagnetic signals. The NetworkSystem circuitry converts electrical signals to/from electromagneticsignals and communicates with communications networks and othercommunications devices via the electromagnetic signals. The NetworkSystems circuitry may include well-known circuitry for performing thesefunctions, including but not limited to an antenna system, an RFtransceiver, one or more amplifiers, a tuner, one or more oscillators, adigital signal processor, a CODEC chipset, a subscriber identity module(SIM) card, memory, and so forth. The Network Systems circuitry maycommunicate with networks, such as the Internet, also referred to as theWorld Wide Web (WWW), an intranet and/or a wireless network, such as acellular telephone network, a wireless local area network (LAN) and/or ametropolitan area network (MAN), and other devices by wirelesscommunication.

The wireless communication may use any of a plurality of communicationsstandards, protocols and technologies, including but not limited toGlobal System for Mobile Communications (GSM), Enhanced Data GSMEnvironment (EDGE), high-speed downlink packet access (HSDPA), widebandcode division multiple access (W-CDMA), code division multiple access(CDMA), time division multiple access (TDMA), BLUETOOTH®, WirelessFidelity (Wi-Fi) (e.g., IEEE 802.11a, IEEE 802.11b, IEEE 802.11g and/orIEEE 802.11n), voice over Internet Protocol (VoIP), Wi-MAX, a protocolfor email (e.g., Internet message access protocol (IMAP) and/or postoffice protocol (POP)), instant messaging (e.g., extensible messagingand presence protocol (XMPP), Session Initiation Protocol for InstantMessaging and Presence Leveraging Extensions (SIMPLE), and/or InstantMessaging and Presence Service (IMPS)), and/or Short Message Service(SMS)), or any other suitable communication protocol, includingcommunication protocols not yet developed as of the filing date of thisdocument.

The audio circuitry, the speaker, and the microphone provide an audiointerface between a user and the mobile or computing device. The audiocircuitry receives audio data from the peripherals interface, convertsthe audio data to an electrical signal, and transmits the electricalsignal to the speaker. The speaker converts the electrical signal tohuman-audible sound waves. The audio circuitry also receives electricalsignals converted by the microphone from sound waves. The audiocircuitry converts the electrical signal to audio data and transmits theaudio data to the peripherals interface for processing. Audio data maybe retrieved from and/or transmitted to memory and/or the NetworkSystems circuitry by the peripherals interface. In some embodiments, theaudio circuitry also includes a headset jack (FIG. 20). The headset jackprovides an interface between the audio circuitry and removable audioinput/output peripherals, such as output-only headphones or a headsetwith both output (e.g., a headphone for one or both ears) and input(e.g., a microphone).

The I/O subsystem couples input/output peripherals on the mobile orcomputing device, such as the touch screen and other input/controldevices, to the peripherals interface. The I/O subsystem may include adisplay controller and one or more input controllers for other input orcontrol devices. The one or more input controllers 1 receive/sendelectrical signals from/to other input or control devices. The otherinput/control devices may include physical buttons (e.g., push buttons,rocker buttons, etc.), dials, slider switches, and joysticks, clickwheels, and so forth. In some alternate embodiments, input controller(s)may be coupled to any (or none) of the following: a keyboard, infraredport, USB port, and a pointer device such as a mouse. The one or morebuttons may include an up/down button for volume control of the speakerand/or the microphone. The one or more buttons may include a pushbutton. A quick press of the push button may disengage a lock of thetouch screen or begin a process that uses gestures on the touch screento unlock the device, as described in U.S. patent application Ser. No.11/322,549, “Unlocking a Device by Performing Gestures on an UnlockImage,” filed Dec. 23, 2005, which is hereby incorporated by referencein its entirety. A longer press of the push button may turn power to themobile or computing device on or off. The user may be able to customizea functionality of one or more of the buttons. The touch screen is usedto implement virtual or soft buttons and one or more soft keyboards.

The touch-sensitive touch screen provides an input interface and anoutput interface between the device and a user. The display controllerreceives and/or sends electrical signals from/to the touch screen. Thetouch screen displays visual output to the user. The visual output mayinclude graphics, text, icons, video, and any combination thereof(collectively termed “graphics”). In some embodiments, some or all ofthe visual output may correspond to user-interface objects, furtherdetails of which are described below.

A touch screen has a touch-sensitive surface, sensor or set of sensorsthat accepts input from the user based on haptic and/or tactile contact.The touch screen and the display controller (along with any associatedmodules and/or sets of instructions in memory) detect contact (and anymovement or breaking of the contact) on the touch screen and convertsthe detected contact into interaction with user-interface objects (e.g.,one or more soft keys, icons, web pages or images) that are displayed onthe touch screen. In an exemplary embodiment, a point of contact betweena touch screen and the user corresponds to a finger of the user.

The touch screen may use LCD (liquid crystal display) technology, or LPD(light emitting polymer display) technology, although other displaytechnologies may be used in other embodiments. The touch screen and thedisplay controller may detect contact and any movement or breakingthereof using any of a plurality of touch sensing technologies now knownor later developed, including but not limited to capacitive, resistive,infrared, and surface acoustic wave technologies, as well as otherproximity sensor arrays or other elements for determining one or morepoints of contact with a touch screen.

A touch-sensitive display in some embodiments of the touch screen may beanalogous to the multi-touch sensitive tablets described in thefollowing U.S. Pat. No. 6,323,846 (Westerman et al.), U.S. Pat. No.6,570,557 (Westerman et al.), and/or U.S. Pat. No. 6,677,932(Westerman), and/or U.S. Patent Publication 2002/0015024A1, each ofwhich is hereby incorporated by reference in their entirety. However, atouch screen displays visual output from the portable mobile orcomputing device, whereas touch sensitive tablets do not provide visualoutput.

A touch-sensitive display in some embodiments of the touch screen may beas described in the following applications: (1) U.S. patent applicationSer. No. 11/381,313, “Multipoint Touch Surface Controller,” filed May12, 2006; (2) U.S. patent application Ser. No. 10/840,862, “MultipointTouchscreen,” filed May 6, 2004; (3) U.S. patent application Ser. No.10/903,964, “Gestures For Touch Sensitive Input Devices,” filed Jul. 30,2004; (4) U.S. patent application Ser. No. 11/048,264, “Gestures ForTouch Sensitive Input Devices,” filed Jan. 31, 2005; (5) U.S. patentapplication Ser. No. 11/038,590, “Mode-Based Graphical User InterfacesFor Touch Sensitive Input Devices,” filed Jan. 18, 2005; (6) U.S. patentapplication Ser. No. 11/228,758, “Virtual Input Device Placement On ATouch Screen User Interface,” filed Sep. 16, 2005; (7) U.S. patentapplication Ser. No. 11/228,700, “Operation Of A Computer With A TouchScreen Interface,” filed Sep. 16, 2005; (8) U.S. patent application Ser.No. 11/228,737, “Activating Virtual Keys Of A Touch-Screen VirtualKeyboard,” filed Sep. 16, 2005; and (9) U.S. patent application Ser. No.11/367,749, “Multi-Functional Hand-Held Device,” filed Mar. 3, 2006. Allof these applications are incorporated by reference herein in theirentirety.

The touch screen may have a resolution in excess of 1000 dpi. In anexemplary embodiment, the touch screen has a resolution of approximately1060 dpi. The user may contact the touch screen using any suitableobject or appendage, such as a stylus, a finger, and so forth. In someembodiments, the user interface is designed to work primarily withfinger-based contacts and gestures, which are much less precise thanstylus-based input due to the larger area of contact of a finger on thetouch screen. In some embodiments, the device translates the roughfinger-based input into a precise pointer/cursor position or command forperforming the actions desired by the user.

In some embodiments, in addition to the touch screen, the mobile orcomputing device may include a touchpad (not shown) for activating ordeactivating particular functions. In some embodiments, the touchpad isa touch-sensitive area of the device that, unlike the touch screen, doesnot display visual output. The touchpad may be a touch-sensitive surfacethat is separate from the touch screen or an extension of thetouch-sensitive surface formed by the touch screen.

In some embodiments, the mobile or computing device may include aphysical or virtual click wheel as an input control device. A user maynavigate among and interact with one or more graphical objects(henceforth referred to as icons) displayed in the touch screen byrotating the click wheel or by moving a point of contact with the clickwheel (e.g., where the amount of movement of the point of contact ismeasured by its angular displacement with respect to a center point ofthe click wheel). The click wheel may also be used to select one or moreof the displayed icons. For example, the user may press down on at leasta portion of the click wheel or an associated button. User commands andnavigation commands provided by the user via the click wheel may beprocessed by an input controller as well as one or more of the modulesand/or sets of instructions in memory. For a virtual click wheel, theclick wheel and click wheel controller may be part of the touch screenand the display controller, respectively. For a virtual click wheel, theclick wheel may be either an opaque or semitransparent object thatappears and disappears on the touch screen display in response to userinteraction with the device. In some embodiments, a virtual click wheelis displayed on the touch screen of a portable multifunction device andoperated by user contact with the touch screen.

The mobile or computing device also includes a power system for poweringthe various components. The power system may include a power managementsystem, one or more power sources (e.g., battery, alternating current(AC)), a recharging system, a power failure detection circuit, a powerconverter or inverter, a power status indicator (e.g., a light-emittingdiode (LED)) and any other components associated with the generation,management and distribution of power in portable devices.

The mobile or computing device may also include one or more sensors,including not limited to optical sensors. FIG. 30 illustrates how anoptical sensor coupled to an optical sensor controller in I/O subsystem.The optical sensor may include charge-coupled device (CCD) orcomplementary metal-oxide semiconductor (CMOS) phototransistors. Theoptical sensor receives light from the environment, projected throughone or more lens, and converts the light to data representing an image.In conjunction with an imaging module 58 (also called a camera module);the optical sensor may capture still images or video. In someembodiments, an optical sensor is located on the back of the mobile orcomputing device, opposite the touch screen display on the front of thedevice, so that the touch screen display may be used as a viewfinder foreither still and/or video image acquisition. In some embodiments, anoptical sensor is located on the front of the device so that the user'simage may be obtained for videoconferencing while the user views theother video conference participants on the touch screen display. In someembodiments, the position of the optical sensor can be changed by theuser (e.g., by rotating the lens and the sensor in the device housing)so that a single optical sensor may be used along with the touch screendisplay for both video conferencing and still and/or video imageacquisition.

The mobile or computing device may also include one or more proximitysensors. In one embodiment, the proximity sensor is coupled to theperipherals interface. Alternately, the proximity sensor may be coupledto an input controller in the I/O subsystem. The proximity sensor mayperform as described in U.S. patent application Ser. No. 11/241,839,“Proximity Detector In Handheld Device,” filed Sep. 30, 2005; Ser. No.11/240,788, “Proximity Detector In Handheld Device,” filed Sep. 30,2005; Ser. No. 13/096,386, “Using Ambient Light Sensor To AugmentProximity Sensor Output”; Ser. No. 13/096,386, “Automated Response ToAnd Sensing Of User Activity In Portable Devices,” filed Oct. 24, 2006;and Ser. No. 11/638,251, “Methods And Systems For AutomaticConfiguration Of Peripherals,” which are hereby incorporated byreference in their entirety. In some embodiments, the proximity sensorturns off and disables the touch screen when the multifunction device isplaced near the user's ear (e.g., when the user is making a phone call).In some embodiments, the proximity sensor keeps the screen off when thedevice is in the user's pocket, purse, or other dark area to preventunnecessary battery drainage when the device is a locked state.

In some embodiments, the software components stored in memory mayinclude an operating system, a communication module (or set ofinstructions), a contact/motion module (or set of instructions), agraphics module (or set of instructions), a text input module (or set ofinstructions), a Global Positioning System (GPS) module (or set ofinstructions), and applications (or set of instructions).

The operating system (e.g., Darwin, RTXC, LINUX, UNIX, OS X, WINDOWS, oran embedded operating system such as VxWorks) includes various softwarecomponents and/or drivers for controlling and managing general systemtasks (e.g., memory management, storage device control, powermanagement, etc.) and facilitates communication between various hardwareand software components.

The communication module facilitates communication with other devicesover one or more external ports and also includes various softwarecomponents for handling data received by the Network Systems circuitryand/or the external port. The external port (e.g., Universal Serial Bus(USB), FIREWIRE, etc.) is adapted for coupling directly to other devicesor indirectly over a network (e.g., the Internet, wireless LAN, etc.).In some embodiments, the external port is a multi-pin (e.g., 30-pin)connector that is the same as, or similar to and/or compatible with the30-pin connector used on iPod (trademark of Apple Computer, Inc.)devices.

The contact/motion module may detect contact with the touch screen (inconjunction with the display controller) and other touch sensitivedevices (e.g., a touchpad or physical click wheel). The contact/motionmodule includes various software components for performing variousoperations related to detection of contact, such as determining ifcontact has occurred, determining if there is movement of the contactand tracking the movement across the touch screen, and determining ifthe contact has been broken (i.e., if the contact has ceased).Determining movement of the point of contact may include determiningspeed (magnitude), velocity (magnitude and direction), and/or anacceleration (a change in magnitude and/or direction) of the point ofcontact. These operations may be applied to single contacts (e.g., onefinger contacts) or to multiple simultaneous contacts (e.g.,“multitouch”/multiple finger contacts). In some embodiments, thecontact/motion module and the display controller also detect contact ona touchpad. In some embodiments, the contact/motion module and thecontroller detect contact on a click wheel.

Examples of other applications that may be stored in memory includeother word processing applications, JAVA-enabled applications,encryption, digital rights management, voice recognition, and voicereplication.

In conjunction with touch screen, display controller, contact module,graphics module, and text input module, a contacts module may be used tomanage an address book or contact list, including: adding name(s) to theaddress book; deleting name(s) from the address book; associatingtelephone number(s), e-mail address(es), physical address(es) or otherinformation with a name; associating an image with a name; categorizingand sorting names; providing telephone numbers or e-mail addresses toinitiate and/or facilitate communications by telephone, videoconference, e-mail, or IM; and so forth.

FIG. 23 illustrates a reporting engine 360 in block diagram form that iscoupled to system 10. The reporting engine generates reports from theclustered clustering events and/or messages. In one embodiment, thereport engine 360 is coupled to the situation room 18.

In one embodiment, computer-executable instructions implement thereporting engine 360. In one embodiment, the instructions include apredefined procedure component 362, a metadata component, or layer, 364,and an interface component 366 illustrated in FIG. 24.

Reporting engine 360 generates a report at 368 from the clustered eventsand/or messages which can be retrieved from situation room 18. In oneembodiment, the reporting engine 360 is in communication with one ormore dashboards associated with the situation room and retrievesinformation therefrom in response to a request received at 370 forselected information that is used to generate a report.

As non-limiting examples, reports can include but are not limited to,graphical using charts/tables, and the like on a display screen andprinted in tabulated and graphical form; inter-alia: composite metricsthat can include:

system or infrastructure components health; operator efficiency (averagetime taken to detect and resolve incident as described by a cluster);detail on a monitored incident; USR interactive reports; SCA (servicelegal agreement) compliance, and the like.

In one embodiment, the clustered events/messages are in a database 372illustrated in FIG. 23. The metadata layer 364 can be maintainedseparately or together with the data to be searched in database 372.

In one embodiment, queries regarding the clustered events/messages areanswered through reports generated from, as a non-limiting example,structured query language (SQL) statements that need to be heavilycustomized as new report requirements arise. Those skilled in the artare familiar with the use of SQL statements or strings to define SQLcommands typically used in queries and aggregate functions.

In one embodiment, reporting engine 360 has three main parts, i.e., themetadata layer 364, the interface 366 embodying simplified query syntax,and the procedure component 362.

As an example, database 372 represents an exemplary data warehousecontaining the clustered events/messages. The clustered events/messagescan have several dimensions.

As a non-limiting example, a procedure component 362, shown in FIG. 23by a predefined, stored procedure, prc_report, reporting engine 360returns a result set at 368 that matches the user-specified format andsearch conditions, as indicated at 370.

In one embodiment, the metadata in metadata layer 364 describes theclustered events/messages that can be in database 372 or accessed via adashboard directly according to one or more of its characteristics, suchas its data type. As a non-limiting example, metadata layer 364 caninclude entities and SQL view describing the related dimensions,attributes, measures, and/or facts relative to the clusteredevents/messages.

As a non-limiting example, an attribute can be a descriptivecharacteristic of one or more levels representing logical groupings thatenable end users to select information based on like characteristics. Anattribute can be a column or row in a dimension that characterizeselements of a single level. A measure can be a numeric value stored in afact table or cube.

As a non-limiting example, to extract information out of system 10,including database 372, procedure component 362 first accepts inputsfrom the user at 370 according to the query syntax of interface 366. Inturn, procedure component 362 takes the inputs, matches them withmetadata layer 364, and constructs a set of SQL statements to retrieveinformation from the clusters. When reporting engine 360 receives arequest for information to be retrieved it uses the metadata. Procedurecomponent 362 then constructs a query (e.g., one or more SQL statements)based on the fact table's SQL view, runs the query, and returns theresult in the form of a report.

Referring now to FIG. 24, an exemplary flow diagram illustrates aspectsof reporting engine 360 including interface component 366.

FIG. 25 is a block diagram illustrating an exemplary reporting enginemetadata reporting framework.

In one embodiment, event clustering system 10 includes a processor. Anextraction engine 12 is in communication with an infrastructure 14. Theextraction engine 12 receives data from the infrastructure 14. Asignalizer engine 22 includes one or more of an NMF engine 24, a k-meansclustering engine 26 and a topology proximity engine 28. The signalizerengine 22 determines one or more common steps from events and producesclusters relating to the alerts and or events. In response to productionof the clusters one or more physical changes are made in a managedinfrastructure hardware. Multi-systems interact with each other.

Referring to FIG. 26, in one embodiment, system 10 provides separationand independent management, allowing for enabling multi-systems tointeract with each other. Data separation and scale is provided. As anon-limiting example, system 10 allows for consolidation of informationfrom a space with an aggregation of information from a lower tier levelto a higher or a top tier level of information. Every layer ofinformation recited above is a lower tier level. These lower tier layersof information can-not operate on their own. Each lower tier layer has alink to an upper or top tier level. As a non-limiting example, there canbe a plurality or “n” layers of lower tiers that are coupled to the toptier level. Each lower tier layer is a discrete operational area. Thetop tier level has access to all lower layers. In one embodiment,entanglement is desired but the depth of entanglement is configurable.As a non-limiting example an object “A” in a lower tier level has anobject “A” in the top tier level. An alteration of a lower tier levelcreates an alteration in a top tier level.

However, there is no-cross-lower tier level entanglement andmodification. A lower tier level can modify things at the top tierlevel, but can-not change or modify other lower tier levels. A user ofthe top tier level can act on a lower tier level, and a user of a lowertier level can-not go across other lower tier levels to made alterationsto other lower tier levels.

The foregoing description of various embodiments of the claimed subjectmatter has been provided for the purposes of illustration anddescription. It is not intended to be exhaustive or to limit the claimedsubject matter to the precise forms disclosed. Many modifications andvariations will be apparent to the practitioner skilled in the art.Particularly, while the concept “component” is used in the embodimentsof the systems and methods described above, it will be evident that suchconcept can be interchangeably used with equivalent concepts such as,class, method, type, interface, module, object model, and other suitableconcepts. Embodiments were chosen and described in order to bestdescribe the principles of the invention and its practical application,thereby enabling others skilled in the relevant art to understand theclaimed subject matter, the various embodiments and with variousmodifications that are suited to the particular use contemplated.

What is claimed is:
 1. An event clustering system with a processor,comprising: an extraction engine in communication with aninfrastructure, the extraction engine in operation receiving data fromthe infrastructure and produces events and populates a database; asignalizer engine that includes one or more of an NMF engine, a k-meansclustering engine and a topology proximity engine, the signalizer enginedetermining one or more common steps from events and produces clustersrelating to the alerts and or events; in response to production of theclusters one or more physical changes are made in a managedinfrastructure hardware is made; and wherein multi-systems interact witheach other.
 2. The system of claim 1, wherein data separation and scaleare provided.
 3. The system of claim 1, wherein consolidation ofinformation from a space is provided with an aggregation of informationfrom a lower tier level to a higher or a top tier level of information.4. The system of claim 3, wherein lower tier layers of informationcan-not operate on their own.
 5. The system of claim 3, wherein eachlower tier layer has a link to the top tier level.
 6. The system ofclaim 3, wherein there are a plurality or “n” layers of lower tierscoupled to the top tier level.
 7. The system of claim 3, wherein eachlower tier layer is a discrete operational area.
 8. The system of claim3, wherein the top tier level has access to all lower tier layers. 9.The system of claim 3, wherein an entanglement between lower levels isallowed and a depth of entanglement is configurable.
 10. The system ofclaim 3, wherein an object “A” in a lower tier level has an object “A”in the top tier level.
 11. The system of claim 3, wherein an alterationof a lower tier level creates an alteration in a top tier level.
 12. Thesystem of claim 11, wherein there is no-cross-lower tier levelentanglement or modification.
 13. The system of claim 11, wherein alower tier level can modify things at the top tier level, but can-notchange or modify other lower tier levels.
 14. The system of claim 11,wherein a user of the top tier level can act on a lower tier level, anda user of a lower tier level can-not go across other lower tier levelsto made alterations to other lower tier levels.
 15. The system of claim1, wherein security includes at least one of managed infrastructure:breach, intrusion or propagation.
 16. The system of claim 1, whereinsecurity includes managed infrastructure: access control, intrusiondetection and threat propagation.
 17. The system of claim 1, whereinsecurity includes authentication of a subject.
 18. The system of claim1, wherein security includes authorization of a subject.
 19. The systemof claim 18, wherein authorization specifies what a subject can do. 20.The system of claim 1, wherein security includes audit.
 21. The systemof claim 1, where security includes identification and authentication toensure that only authorized subjects can access the managedinfrastructure.
 22. The system of claim 1, wherein security includesaccess approval grants to the managed infrastructure by association ofusers with resources that they are allowed to access, based on anauthorization policy.
 23. The system of claim 1, wherein the reportingengine generates reports from the clustered events and/or messages. 24.The system of claim 1, wherein the report engine is coupled to asituation room of the event clustering system.
 25. The system of claim1, wherein computer-executable instructions implement the reportingengine.
 26. The system of claim 25, wherein the instructions include apredefined procedure component, a metadata component, or layer, and aninterface component.
 27. The system of claim 1, wherein the reportingengine generates a report from the clustered events and/or messageswhich can be retrieved from a situation room.
 28. The system of claim 1,wherein the reporting engine is in communication with one or moredashboards associated with a situation room and retrieves informationtherefrom in response to a request that is used to generate a report.29. The system of claim 1, wherein clustered events/messages are in adatabase.
 30. The system of claim 1, wherein queries regarding theclustered events/messages are answered through reports generated fromstructured query language (SQL) statements.
 31. The system of claim 1,wherein the reporting engine includes a metadata layer, an interface anda procedure component.
 32. The system of claim 1, wherein the clusteredevents/messages have several dimensions.
 33. The system of claim 32,wherein one of the dimensions is a procedure component.